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Abstract 


This  report  formalizes  a  notion  of  witnesses  as  the  basis  of  certifying  the  correctness  of 
software.  The  first  part  of  the  report  is  concerned  with  witnesses  for  the  satisfaction  of  linear 
temporal  logic  specifications  by  infinite  state  programs  and  shows  how  such  witnesses  may  be 
constructed  via  predicate  abstraction  and  validated  by  generating  and  proving  verification 
conditions.  In  addition,  the  first  part  of  this  report  proposes  the  use  of  theorem  provers 
based  on  Boolean  propositional  satisfiability  (SAT)  and  resolution  proofs  in  validating  these 
verification  conditions.  In  addition  to  yielding  extremely  compact  proofs,  a  SAT-based 
approach  overcomes  several  limitations  of  conventional  theorem  provers  when  applied  to  the 
verification  of  programs  written  in  real-life  programming  languages. 

The  second  part  of  this  report  formalizes  a  notion  of  witnesses  of  simulation  conformance 
between  infinite  state  programs  and  finite  state  machine  specifications.  The  report  also 
proves  that  computing  a  minimal  simulation  relation  between  two  finite  state  machines  is  an 
NP-hard  problem.  Finally,  the  report  presents  algorithms  to  construct  simulation  witnesses 
of  minimal  size  by  solving  pseudo-Boolean  constraints.  The  author’s  experiments  on  several 
nontrivial  benchmarks  suggest  that  a  SAT-based  approach  can  yield  extremely  compact 
proofs — in  some  cases  by  a  factor  of  over  105 — when  compared  to  existing  non-SAT-based 
theorem  provers. 
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1  Introduction 


There  is  an  evident  and  urgent  need  for  objective  measures  of  confidence  in  the  behavior  of 
software  obtained  from  untrusted  sources.  In  general,  the  lack  of  trust  in  a  piece  of  code 
stems  from  two  sources:  (1)  the  code  producer  and  (2)  the  delivery  mechanism  of  the  code  to 
the  consumer.  Unfortunately,  the  vast  majority  of  current  software  assurance  techniques 
target  the  above  sources  of  mistrust  in  isolation  but  fail  to  account  for  them  both. 

For  instance,  cryptographic  techniques  are  typically  unable  to  say  anything  substantial  about 
the  runtime  behavior  of  the  program.  Techniques  such  as  sandboxing  and  analytic 
redundancy  require  mechanisms  for  runtime  monitoring  and  appropriate  responses  to  failure. 
Additionally,  such  approaches  are  inherently  dynamic  and  unable  to  provide  adequate  levels 
of  static  correctness  guarantees.  Extrinsic  software  quality  standards  typically  have  a  heavy 
focus  on  process  and  are  usually  quite  subjective.  Moreover,  software  qualities  are  weakly 
related  to  desired  behavior,  if  at  all. 

This  report  presents  a  technique  that  uses  proofs  to  certify  software.  More  specifically,  we 
certify  a  rich  set  of  safety  and  liveness  policies  on  C  source  code.  Our  approach  consists  of 
two  broad  stages.  We  first  use  model  checking  [Clarke  00,  Clarke  82]  in  conjunction  with 
Counterexample-Guided  Abstraction  Refinement  (CEGAR)  [Clarke  03]  and  predicate 
abstraction  [Graf  97]  to  verify  that  a  C  program  C  satisfies  a  policy  S.  The  policy  S  may  be 
expressed  either  as  a  linear  temporal  logic  (LTL)  formula  or  a  finite  state  machine. 

Subsequently,  we  use  information  generated  by  the  verification  procedure  to  extract  a  witness 
Q.  We  show  how  the  witness  may  be  used  to  generate  a  verification  condition  VC.  We  also 
prove  that  C  respects  the  policy  S  iff  VC  is  valid.  The  witness  U  is  constructed  and  shipped 
by  the  code  producer  along  with  C  and  the  proof  P  of  VC.  The  code  consumer  uses  U  to 
reconstruct  VC  and  verify  that  P  truly  corresponds  to  VC.  Therefore,  in  our  setting,  the 
witness  U  and  the  proof  P  may  together  be  viewed  as  the  certificate  that  C  respects  S. 

While  the  above  strategy  is  theoretically  sound,  it  must  overcome  two  key  pragmatic 
obstacles.  First,  since  certificates  have  to  be  transmitted  and  verified,  they  must  be  small 
and  efficiently  checkable.  Unfortunately,  proofs  generated  by  conventional  theorem  provers, 
such  as  cvc  and  VAMPYRE,  are  often  prohibitively  large.  Second,  conventional  theorem 
provers  are  usually  unfaithful  to  the  semantics  of  C.  For  example,  they  often  do  not  support 
features  of  integer  operations  such  as  overflow  and  underflow.  This  lack  of  such  supoort 
means  that  certificates  generated  by  such  theorem  provers  are,  in  general,  not  trustworthy. 
For  example,  the  following  VC  is  declared  valid  by  most  conventional  theorem  provers, 
including  CVC  and  vampyre:  Vx .  (x  +  1)  >  x.  However,  that  statement  is  actually  invalid 
according  to  the  semantics  of  the  C  language,  due  to  the  possibility  of  overflow. 
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In  this  report,  we  propose  the  use  of  Boolean  satisfiability  (SAT)  to  solve  both  these 
problems.  More  specifically,  we  translate  VC  to  a  propositional  formula  $  such  that  VC  is 
valid  iff  is  unsatisfiable.  Therefore,  a  resolution  refutation  (proof  of  the  unsatisfiability)  of 
$  serves  as  a  proof  of  the  validity  of  VC.  We  use  the  state-of-the-art  SAT  solver 
zchaff  [Moskewicz  01],  which  also  generates  resolution  refutations,  to  prove  that  $  is 
unsatisfiable.  The  translation  from  VC  to  $  is  faithful  to  the  semantics  of  C  and  therefore 
handles  issues  such  as  overflow. 

We  have  implemented  our  proposed  technique  in  the  ComFoRT  [Chaki  05b]  reasoning 
framework  and  experimented  with  several  nontrivial  benchmarks.  Our  results  indicate  that 
the  use  of  SAT  leads  to  extremely  compact  (in  some  cases  over  105  times  smaller)  proofs  in 
comparison  to  conventional  theorem  provers.  One  important  reason  for  this  improvement  is 
that  the  SAT  formulas  generated  have  extremely  small  UNSAT-cores  (i.e.,  subformulas  that 
are  themselves  unsatisfiable).  ZCHAFF  has  sophisticated  heuristics  to  locate  small 
UNSAT-cores  of  its  input  formula.  Since  the  core  is  small,  so  is  its  refutation.  Further  details 
of  our  experiments  are  provided  in  Section  7. 

We  believe  that  this  report  contributes  not  just  to  the  area  of  software  certification  but  to 
the  much  broader  spectrum  of  scientific  disciplines  where  compact  proofs  are  desirable. 
Algorithms  to  compress  proof  representations  are  currently  a  topic  of  active  research.  This 
report  demonstrates  that  the  use  of  SAT  technology  is  a  very  promising  idea  in  this  context. 

The  rest  of  this  report  is  organized  as  follows.  We  discuss  related  work  in  Section  2  and 
present  preliminary  concepts  in  Section  3.  In  Section  4,  we  present  our  certification 
formalism  for  LTL  policies,  and  in  Section  5,  we  describe  our  technique  for  obtaining 
SAT-based  certificates.  In  Section  6,  we  present  our  certification  formalism  for  finite  state 
machine  policies.  Finally,  we  describe  our  experimental  results  in  Section  7  and  conclude  our 
ideas  in  Section  8. 
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2  Related  Work 


Necula  and  Lee  [Necula  96,  Necula  97,  Necula  98b]  proposed  Proof-Carrying  Code  (PCC)  as 
a  means  for  checkably  certifying  that  untrusted  binaries  respect  certain  fundamental  safety 
(such  as  memory  safety)  criteria.  Foundational  PCC  [Appel  01,  Hamid  02]  attempts  to 
reduce  the  trusted  computing  base  of  PCC  to  solely  the  foundations  of  mathematical  logic. 
Bernard  and  Lee  [Bernard  02]  propose  a  new  temporal  logic  to  express  PCC  policies  for 
machine  code.  Non-SAT-based  techniques  for  minimizing  PCC  proof  sizes 
[Necula  98a,  Necula  01]  and  formalizing  machine  code  semantics  [Michael  00]  have  also  been 
proposed.  Our  work  uses  proofs  to  certify  software  but  is  applicable  to  safety  as  well  as 
liveness  specifications  and  at  the  source  code  level. 

Arons  and  colleagues  [Arons  01]  have  proposed  techniques  to  heuristically  (and 
automatically)  lift  an  invariant  for  a  small  instance  of  a  parameterized  system  to  a  candidate 
invariant  for  the  entire  system.  The  candidate  invariant  is  then  checked  for  validity  since, 
unlike  in  our  framework,  it  is  not  known  whether  the  smaller  instance  of  the  parameterized 
system  is  an  abstraction  for  the  full  instance. 

Certifying  model  checkers  [Namjoshi  01,  Kupferman  04]  emit  an  independently  checkable 
certificate  of  correctness  when  a  temporal  logic  formula  is  found  to  be  satisfiable  by  a  finite 
state  model.  Namjoshi  [Namjoshi  03]  has  proposed  a  two-step  technique  for  obtaining  proofs 
of  /i-calculus  specifications  on  infinite  state  systems.  In  the  first  step,  a  proof  is  obtained  via 
certifying  model  checking.  In  the  second  step,  the  proof  is  lifted  via  an  abstraction.  This 
approach  is  more  general  than  ours  as  far  as  LTL  model  checking  is  concerned  but  does  not 
handle  simulation.  It  also  does  not  propose  the  use  of  SAT  or  provide  experimental 
validation. 

Magill  and  colleagues1  have  proposed  a  two-step  procedure  for  certifying  simulation 
conformance  between  an  infinite  state  system  and  a  finite  state  machine  specification.  In  the 
first  step,  they  certify  that  a  finite  state  abstraction  simulates  the  infinite  state  system.  In 
the  second  step,  they  prove  simulation  between  the  finite  state  abstraction  and  the 
specification.  Their  approach  does  not  cover  LTL  specifications  and,  in  particular,  is  unable 
to  handle  liveness  policies.  Also,  it  does  not  propose  the  use  of  SAT. 

Predicate  abstraction  [Graf  97]  in  combination  with  CEGAR  [Clarke  03]  has  been  applied 
successfully  by  several  software  model  checkers  such  as  SLAM  [Ball  01],  blast 
[Henzinger  02b] ,  and  MAGIC  [Chaki  04a] .  Out  of  these  model  checkers,  SLAM  and  MAGIC  do 
not  generate  any  proof  certificates  when  claiming  the  validity  of  program  specifications. 
blast  includes  a  method  [Henzinger  02a]  for  lifting  linear  time  safety  proofs  through  the 
abstraction  computed  by  their  algorithm  into  a  checkable  proof  of  correctness  for  the  original 
program.  It  does  not  handle  liveness  specifications  and  uses  the  non-SAT-based  theorem 
prover  VAMPYRE  for  proof  generation.  The  use  of  SAT  for  software  model  checking  has  also 
been  explored  in  the  context  of  both  sequential  ANSI-C  programs  [Clarke  04]  and 
asynchronous  concurrent  Boolean  programs  [Cook  05a].  Proving  program  termination  via 
ranking  functions  is  also  a  rich  and  developing  research  area  [Cook  05b,  Balaban  05] . 


1  Magill,  S.;  Nanevski,  A.;  Clarke,  E.;  &  Lee,  P.  Simulation-Based,  Safety  Proofs  by  MAGIC.  In  preparation. 
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3  Preliminaries 


In  this  section,  we  present  preliminary  definitions  and  results.  Let  Act  be  a  denumerable  set 
of  actions.  We  begin  with  the  notion  of  labeled  transition  systems. 


Definition  1  (LTS).  A  Labeled  Transition  System  (LTS)  is  a  quadruple  (S,  Init,T,,T) 
where:  (1)  S  is  a  finite  set  of  states,  (2)  Init  C  S  is  a  set  of  initial  states,  (3)  E  C  Act  is  a 
finite  alphabet,  and  (4)  T  C  S  x  E  x  S  is  a  transition  relation. 

Given  an  LTS  M  =  (S,  Init ,  E,  T),  we  write  s  s'  to  mean  (s,  a,  s')  £  T.  Also,  for  any 
s  £  S,  and  any  a  £  E  we  denote  by  Succ(s ,  a)  the  set  of  successors  of  s  under  a — in  other 
words, 

Succ(s,  a)  =  {s'  |  s  s'} 

Linear  Temporal  Logic.  We  now  define  our  notion  of  LTL.  Unlike  standard  practice,  the 
flavor  of  LTL  we  use  is  based  on  actions  instead  of  propositions.  This  distinction  is,  however, 
inessential  as  far  as  this  report  is  concerned.  The  syntax  of  LTL  is  defined  by  the  following 
grammar  in  Backus-Naur  form  (where  a  £  Act): 

<f>  :=  a  |  — k/>i  |  0i  A  02  |  X<^i  | 

The  semantics  of  LTL  is  fairly  standard,  and  we  do  not  describe  it  here.  In  fact,  we  do  not 
deal  with  LTL  specifications  directly  but  rather  via  an  equivalent  automata-theoretic 
formalism  called  Biichi  automata. 


Definition  2  (Biichi  Automaton).  A  Biichi  automaton  (or  simply  an  automaton)  is 
5-tuple  ( S,  Init,H,T,  F ),  where  (1)  S  is  a  finite  set  of  states,  (2)  Init  C  S  is  a  set  of  initial 
states,  (3)  EC  Act  is  a  finite  alphabet,  (4)  T  C  S  x  E  x  S  is  a  transition  relation,  and  (5) 
F  C  S  is  a  set  of  final  (or  accepting)  states. 


As  in  the  case  of  LTSs,  given  a  Biichi  automaton  B  =  ( S ,  Init ,  E,  T,  F ),  we  write  s  s'  to 
mean  (s,  a,  s')  £  T.  Also,  for  any  s  £  S  and  any  a  £  E,  we  denote  by  Succ(s ,  a)  the  set 
{s'  |  s  s'}.  A  trace  t  £  Act w  is  an  infinite  sequence  of  actions.  The  language  accepted  by 
an  automaton  is  a  set  of  traces  defined  as  follows. 


Definition  3  (Language).  Let  B  =  (S,  Init,  E,  T,  F)  be  any  automaton  and  t  =  (ao>  ai, . . .) 
be  any  trace.  A  run  r  of  B  on  t  is  an  infinite  sequence  of  states  (sq,s\,  . . .)  such  that  (1) 
so  £  Init  and  (2)  V*  >  0 .  Sj  Sj+i.  For  any  run  r,  we  write  Inf(r)  to  denote  the  set  of 
states  appearing  infinitely  often  in  r.  Then,  a  trace  t  is  accepted  by  B  iff  there  exists  a  run  r 
of  B  on  t  such  that  Inf(r)  D  F  0.  The  language  of  B,  denoted  by  C(B),  is  the  set  of  traces 
accepted  by  B. 
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We  define  the  product  between  an  LTS  and  an  automaton  in  the  standard  manner  as  follows: 


Definition  4  (Product  Automaton).  Let  M  =  (Si,  Initi,  Si,  Tf)  be  an  LTS  and 
B  =  (S2,  Init2,  £2,  P2)  be  an  automaton  such  that  Si  =  £2.  Then,  the  product  of  M  and 

B  is  denoted  by  M  <S>  B  and  defined  as  the  automaton  ( S ,  Init,  S ,T,F)  where  (1)  S  =  S\  X  S2, 
(2)  Init  =  Initi  x  Init2,  (3)  S  =  Si,  (f)  F  =  S\  x  F2;  and  (5)  T  is  defined  as  follows: 

Vsi,  Si  €  Si .  VS2,  s'2  G  S2  .  Vck  G  S  .  (si,  S2)  — >  (si,  S2)  si  A  S2  s'2 

Program.  We  have  applied  our  ideas  to  actual  C  programs.  However,  for  clarity  and 
simplicity  of  presentation,  we  use  a  programming  language  based  on  guarded  commands.  Let 
Var  be  a  denumerable  set  of  integer  variables.  The  set  of  expressions  Expr  is  defined  over 
Var  using  the  operators  +,  — ,  x ,  4-,  =  A,  and  the  C  bit-wise  operators. 

Program  Syntax.  An  assignment  is  a  pair  (v,  e)  where  v  G  Var  denotes  the  left-hand  side 
(LHS)  and  e  G  Expr  denotes  the  right-hand  side  (RHS).  The  set  of  assignments  is  denoted  by 
Asgn.  A  guarded  command  is  a  triple  ( Grd ,  Evt,  Cmd )  where  Grd  G  Expr  is  a  guard, 

Evt  G  Act  is  an  event,  and  Cmd  G  Asgn  is  an  assignment.  The  set  of  guarded  commands  is 
denoted  by  GrdCmd.  Given  a  guarded  command  gc  =  ( g,e,c ),  we  write  Grd(gc),  Evt(gc), 
and  Cmd(gc)  to  denote  g,  e,  and  c  respectively.  Finally,  a  program  is  a  pair  ( I,C )  where 
/  G  Expr  expresses  constraints  on  the  initial  states  of  the  program  and  C  C  GrdCmd  is  a 
finite  set  of  guarded  commands. 

Store.  A  store  is  a  function  a  :  Var  — >  Z  from  variables  to  integers.  The  set  of  all  stores  is 
denoted  by  Sto.  Any  store  a  naturally  induces  a  function  from  expressions  to  integers:  <r(e) 
is  the  integer  obtained  by  evaluating  e  under  a. 

Our  language  has  a  C-like  semantics  as  far  as  variables  and  operators  are  concerned.  Integers 
are  treated  as  32-bit  vectors.  Also,  the  arithmetic,  relational,  Boolean,  and  bit-wise  operators 
are  interpreted  in  a  C-like  manner.  In  particular,  there  is  overflow  and  underflow,  and  zero  is 
treated  as  false,  while  all  other  integers  are  treated  as  true. 

Definition  5  (Store  Update).  Given  a  store  a  and  an  assignment  a  =  (v,e),  we  write  a[a\ 
to  denote  the  store  resulting  after  executing  a  from  a.  In  other  words,  a[a\  is  the  same  as  a 
for  all  variables  other  than  v,  while  a[a](u)  =  <r(e). 

Definition  6  (Satisfaction).  Given  a  store  a  and  an  expression  e,  we  say  that  a  satisfies  e 
iff  a(e)  0.  We  denote  the  satisfaction  of  e  by  a  as  a  |=  e  and  write  a  \f=  e  to  mean 
-.(ct  |=  e). 

In  the  rest  of  this  report,  we  use  the  terms  formula  and  expression  synonymously,  since,  as  we 
have  seen,  any  expression  e  can  also  be  viewed  as  a  logical  formula.  The  models  of  e  are 
simply  the  stores  satisfying  e. 

Program  Semantics.  We  now  define  the  semantics  of  a  program  Prog  in  terms  of  a  labeled 
transition  system.  Intuitively,  the  states  of  the  LTS  are  stores,  its  initial  states  are 
determined  by  the  initial  condition  of  Prog,  and  its  transitions  are  determined  by  the 
guarded  commands  in  Prog.  Formally,  let  Prog  =  ( I,C )  be  a  program.  Then,  the  semantics 
of  Prog ,  denoted  by  [Prog],  is  an  LTS  (5,  Init,  S,  T)  such  that 
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1.  S  =  Sto 


2.  Init  =  {a  \  a  j=  1} 

3.  E  =  {Evt(gc)  \  gee  C} 

4.  <7  -—>■  a'  iff:  3gc  e  C .  cr  |=  Grd(gc)  A  a  =  Evt(gc)  A  a'  =  Cmd(gc)[a] 

Specification  Satisfaction.  Given  a  specification  as  a  negated  automaton  Spec,  we  say  that 
Prog  satisfies  Spec  and  denote  this  by  Prog  \=  Spec,  iff  C(\Prog\  ®  Spec )  =  0. 
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4  Temporal  Logic  Witness 


In  this  section,  we  present  our  proof  framework  for  programs.  We  consider  a  program 
Prog  =  (I,  C ).  We  begin  with  the  notion  of  strongest  postconditions.  For  any  expression  e, 
variable  v,  and  expression  t,  we  denote  the  expression  obtained  by  simultaneously  replacing 
all  occurrences  of  v  in  e  by  t  as  e[v/t}. 

Definition  7  (Strongest  Postcondition).  Let  Prog  =  ( I,C )  be  a  program,  e  be  an 
expression,  and  a  be  an  action.  Then,  the  strongest  postcondition  of  e  with  respect  to  a  is 
denoted  by  SV[e]{a]  and  defined  as  follows: 

SV[e]{a}  =  3v' .  \J  (g  A  e)[v/v'}  A  (v  =  t[v/v']) 

(g,a,(v,t))ec 

The  concept  of  strongest  postconditions  is  quite  standard.  In  particular,  the  following  fact 
about  strongest  postconditions  is  fairly  well-known.  Recall  that  a  state  of  Prog  is  a  store. 
Consider  any  expression  e  and  any  action  a.  Let  a  and  o'  be  stores  such  that  a  |=  e  and 
<7  o'.  Then,  o'  \=  SV[e]{a}.  This  idea  is  captured  by  the  following  well-known  fact. 

Fact  1  Let  Prog  be  a  program  and  [Prog]  =  (5,  Init ,  S,  T)  be  its  semantics.  Let  e  be  any 
expression.  Then,  the  following  holds: 

Vcr  £  S  .  Vo1  £  S  .  Va  £  S  .  ((<7  |=  e)  A  ( a  o'))  (o'  \=  SV[e\{a}) 

In  addition,  the  following  lemma  about  strongest  postconditions  will  be  useful  later  on. 


Lemma  1  Let  e\,  e 2  be  any  expressions  and  a  be  any  action.  Then,  the  following  holds: 

(SV[ei]{a]  V  SV{e2\{ot})  SV[e\  V  e2]{a} 


Proof. 


SV[ei}{a}  V  SV[e2]{a} 


3v' .  \J  (g  A  ei)[v/v'\  A  (v  =  t{v/v'\) 

(g,a,(v,t))eC 

V 

3v' .  \J  (g  A  e2)[v/v']  A  (v  =  t[v/v']) 

3v' .  V  (g  A  (ei  V  e2))[v/v']  A  (v  =  t[v/v'\) 
(. g,a,(v,t))£C 


SV[ei  V  e2]{a} 


This  completes  our  proof. 
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□ 


We  are  now  ready  to  present  the  formal  notion  of  a  proof  of  Prog  |=  Spec.  Recall  that  our 
goal  is  to  prove  C{\Prog\  <g>  Spec)  =  0.  Such  a  proof  essentially  encodes  a  stratified  ranking 
function  between  [Prog]  and  Spec.  Let  us  write  M®  to  mean  [Prog]  <8>  Spec.  Let 
M®  =  ( S ®,  Init ®,  £,  T®,  P®)  and  P  be  a  finite  set  of  integral  ranks.  Suppose  that  there  exists 
a  ranking  function  p  :  S'®  — ►  P  such  that  the  following  holds: 

•  (RANK1)  Init ®  C  Domain(p),  that  is,  all  initial  states  of  M®  have  a 
rank. 

•  (RANK2)  Vs  -5U  s' .  s  0  P®  =►  p(s)  >  p(s') 

•  (RANK3)  Vs  s'.s£f8=>  p(s)  >  p(s') 

Then,  there  is  no  infinite  path  of  M®  that  visits  an  accepting  state  infinitely  often,  that  is, 
£(M®)  =  0.  We  use  a  witness  to  encode  a  ranking  function.  We  also  use  appropriate 
side-conditions  to  ensure  that  the  ranking  function  satisfies  the  three  conditions  mentioned 
above.  We  now  state  this  formally: 


Theorem  1  (LTL  Witness).  Let  Prog  =  ( I,C )  be  a  program  and  Spec  =  (S,  Init,T,,T,  F) 
be  a  specification  automaton.  Let  R  be  a  finite  set  of  integral  ranks.  Suppose  that  there  exists 
a  function  17  :  S  x  P  — >  Expr  that  satisfies  the  following  four  conditions: 

1.  (Cl)  Vs  E  5 1  Vr  G  Pi  Mr'  G  R.r  /  r'  =>-  -i(f7(s,  r)  A  f7(s,  r')) 

2.  (C2)  Vs  G  /rot .  /  =>  Vr6Bn(*.»0 

3.  (C3) 

Vs  G  S\F.Ma  G  S.Vr  G  P.Vs7  G  Succ(s,  a)  .5P[17(s,  r)]{a}  =^-  \/ r,<rLl(s' ,r') 

l  (C4) 

Vs  G  P  .  Vo  G  S.Vr  G  P.  Vs7  G  Succ(s,  a) .  5P[17(s,  r)]{cc}  =J>  \fr'<r  r>) 

Then,  [Prog]  |=  Spec  and  we  say  that  17  is  a  witness  to  [Prog]  |=  Spec. 

Proof.  Let  us  write  M®  to  mean  [Prog]  <8>  Spec.  Recall  that  the  states  of  [Prog]  are  stores, 
and  hence  the  set  of  states  of  M®  is  Sto  x  S.  Thus,  it  suffices  to  define  a  ranking  function 
p  :  Sto  x  S  — >  P  that  satisfies  conditions  RANK1— RANK3  given  above.  Consider  any  store 
a  and  any  specification  state  s.  Due  to  condition  Cl,  there  can  be  at  most  one  rank  r  such 
that  a  |=  17(s,  r).  If  such  an  r  exists,  we  define  p(a ,  s)  =  r;  else,  p(a,  s)  is  undefined. 

To  show  that  p  satisfies  condition  RANK1,  consider  any  initial  state  (a,  s)  of  M®.  Recall 
that  Prog  =  (I,  C).  Hence  a  \ =  I  and  s  G  Init.  By  condition  C2,  there  exists  rGP  such  that 
<t  |=  17(s,r).  Therefore,  p(cr,s)  =  r,  which  is  what  we  want. 

To  show  that  p  satisfies  condition  RANK2,  consider  any  transition  ( a ,  s )  (a',  s')  of  M® 

such  that  ( a ,  s)  is  not  an  accepting  state  of  M®.  According  to  Definition  4,  this  means 
a  a' ,  s  s7,  and  s  fL  F.  Let  p(cr,  s)  =  r.  From  the  definition  of  p,  this  means  that 
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<7  |=  Ll(s,r).  Hence  from  Fact  1,  we  know  that  cr7  |=  5'P[H(s, r)]{a}.  Thus,  from  condition 
C3,  we  know  that  there  exists  r'  <r  such  that  a'  |=  Ll(s',r').  Therefore,  by  the  definition  of 
p,  we  have  p(a’ ,  s')  =  r'  <  r  =  p(a,  s ),  which  is  again  what  we  want. 

To  show  that  p  satisfies  condition  RANK3,  consider  any  transition  ( a ,  s)  (cr7,  s7)  of  M® 
such  that  (<t,  s )  is  an  accepting  state  of  M®.  According  to  Definition  4,  this  means  cr  cr7, 
s  s7,  and  s  £  -F.  Let  p(cr,  s)  =  r.  From  the  definition  of  p,  this  means  that  a  |=  fi(s,  r). 
Hence  from  Fact  1,  we  know  that  cr7  |=  5P[f!(s,r)]{a}.  Thus,  from  condition  C4,  we  know 
that  there  exists  r'  <  r  such  that  a'  |=  Ll(s',iJ).  Therefore,  by  the  definition  of  p,  we  have 
/o(cx7 ,  s')  =  r'  <  r  =  p(<7,  s),  which  completes  the  proof.  ^ 


Suppose  we  are  given  Prog ,  Spec  =  (5,  Init,  E,  T)  and  a  candidate  witness  H  over  a  set  of 
ranks  R.  Since  S,  E,  and  i?  are  all  finite,  it  is  straightforward  to  generate  a  formula 
equivalent  to  the  conditions  C1—C4  enumerated  in  Theorem  1.  We  call  such  a  formula  our 
verification  condition  and  denote  it  by  VC  (Prog,  Spec,  H).  In  essence,  on  account  of 
Theorem  1,  a  valid  proof  of  VC  (Prog,  Spec, it)  is  also  a  valid  proof  of  Prog  \=  Spec. 

Theorem  1  is  useful  in  checking  the  validity  of  a  proposed  witness  it.  However,  it  yields  no 
technique  to  construct  such  a  H.  In  this  section,  we  present  a  procedure  called  predicate 
abstraction.  In  the  next  section,  we  show  how  to  construct  a  valid  witness  using  predicate 
abstraction.  More  specifically,  if  our  procedure  actually  results  in  a  witness  it,  then  it  is 
guaranteed  to  be  valid.  In  other  words,  the  verification  condition  VC  (Prog,  Spec,  it)  is 
guaranteed  to  be  a  valid  formula.  We  begin  with  some  preliminary  definitions. 


Definition  8  (Predicate).  A  predicate  is  simply  an  expression.  Let  V  be  a  finite  set  of 
predicates.  A  valuation  ofV  is  a  function  from  V  to  {true,  false}.  The  set  of  all  valuations 
of  V  is  denoted  by  V(V).  Given  a  valuation  V  G  V(V)  of  V ,  the  concretization  of  V  with 
respect  to  V  is  denoted  by  ^(V)  and  is  the  expression  defined  as  follows: 

7^>(P)  =  f\veV  pX  where  for  any  predicate  p,  we  have  pTRUE  =  p  and  pFALSE  =  -,p. 


In  this  report,  we  only  consider  finite  sets  of  predicates.  We  write  7(F)  to  mean  j^(V)  when 
V  is  clear  from  the  context.  The  notion  of  concretization  presented  above  means  that  any 
valuation  V  can  also  be  thought  of  as  the  expression  7(F)  and,  therefore,  leads  naturally  to 
the  notion  of  consistency  between  valuations  and  expressions  and  between  two  valuations. 


Definition  9  (Consistency).  Let  V  be  a  valuation  of  a  set  of  predicates  V  and  e  be  an 
expression.  We  say  that  V  is  consistent  with  e  and  denote  this  by  V  lb  e,  iff  the  expression 
7 (F)  =>•  -ie  is  invalid.  In  other  words,  V  lb  e  3<7  £  St.o  .  a  |=  7(F)  A  cr  |=  e. 

Equivalently,  -i(F  lb  e)  iff  the  expression  7(F)  =>•  ->e  is  valid. 


Consistency  essentially  means  that  a  valuation  and  an  expression  are  not  mutually  exclusive. 
We  now  define  the  term  weakest  precondition,  a  concept  closely  related  to  the  term  strongest 
postcondition.  Recall  that  for  any  expression  e,  variable  v,  and  expression  t,  we  denote  the 
expression  obtained  by  simultaneously  replacing  all  occurrences  of  v  in  e  by  t  as  e\v/t\. 
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Definition  10  (Weakest  Precondition).  Let  Prog  =  (/, C)  be  a  program,  e  be  an 
expression,  and  a  be  an  action.  Then,  the  weakest  precondition  of  e  with  respect  to  a  is 
denoted  by  WV[e\{a}  and  defined  as 

WV[e]{a]  =  \J  gAe[v/t] 

( g,a,(v,t))eC 

The  relationship  between  the  strongest  postconditions  and  weakest  preconditions  is  expressed 
formally  by  the  following  lemma. 

Lemma  2  (Preconditions  and  Postconditions).  Let  e,e!  be  expressions  and  a  be  an 

action.  Then,  the  following  holds: 

(e  =$■  -LWP[e']{a})  =$■  [SV[e]{a]  ->e') 

Proof.  Let  us  begin  with  the  assumption  and  prove  the  conclusion 


e  =►  nWP[e']{a} 

(4.1) 

Expanding  out  the  definition  of  WV[e']{a}  in  (1),  we  have 

e  \J  gAe'[v/t] 

(. 9,a,(v,t))eC 

(4.2) 

Pushing  negation  inside  from  (2),  we  have 

e  =>  yy  -ig  V  -te'\v/t\ 

(. 9,a,(y,t))eC 

(4.3) 

Hence  from  (3),  for  each  (g,a,  (v,t))  E  C,  we  have 

e  =>  ~<g  V  -■e/  [v / 1] 

(4.4) 

Applying 

various  proof  rules  on  (4)  gives  us 

-ie  V  ->g  V  ->e'[v/t] 

(4.5) 

Let  v’  be 

a  completely  fresh  variable.  Then,  we  have 

Vv' .  -lefu/V]  V  -■  g[v/v']  V  -■  e'[v/t[v/v']] 

(4.6) 

Vv1 .  -te\v/v'\  V  -■  g[v/v']  V  ^((v  =  t[v/v'])  A  e') 

(4.7) 

Vr/  .  ->e[v/v']  V  -■  g[v/vr]  V  ~<(v  =  t[v/v'\)  V  -■e/ 

(4.8) 

Mv' .  ~<(e[v/v']  A  g[v/v ']  A  (v  =  t[v/v']))  V  -<e' 

(4.9) 

Since  (9) 

can  be  proved  for  each  ( g ,  a,  (v,  t))  6(7,  we  have 

Mv' .  -i(e[u/i/]  A  g[v/v'\  A  (v  =  t[v/v'\))  V  -ie7 

(g,a,(v,t))eC 

(4.10) 
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(4.11) 


Applying  various  proof  rules  on  (10)  gives  us 

W  .  -i((e  A  g)[v/v']  A  (v  =  t[v/v']))  V  -ie7 

(. 9,a,(v,t))eC 

\/v' .  y\  -i ((3  A  e)  [-u / 17/]  A  (v  =  t[v/v']))  V  -*e'  (4.12) 

(g,a,(v,t))eC 

Since  v'  does  not  appear  in  e7 

(Vv1 .  yy  -i((g  A  e)[v/v'}  A  (u  =  t[v/v'})))  V  -^e7  (4.13) 

(g,a,(v,t))eC 

Pulling  out  the  negation 

(-i3u7 .  \y  ((g  A  e)[v/v']  A  (u  =  ifr/V])))  V  -ie7  (4.14) 

(g,a,(v,t))eC 

3v' .  V  ((5  A  e)[u/u7]  A  (v  =  t[v/v']))  =7-  -ie7  (4.15) 

(. g,a,(v,t))eC 

Finally,  using  the  definition  of  SV[e]{a}  on  (15),  we  get 

SV[e]{a }  =>  -V  (4.16) 

which  is  the  desired  conclusion.  This  completes  our  proof.  □ 


We  are  now  ready  to  formally  define  the  predicate  abstraction  of  a  program  with  respect  to  a 
set  of  predicates. 

Predicate  Abstraction.  Let  Prog  =  (I,  C )  be  a  program  and  V  be  a  set  of  predicates.  Let 
[Prog]  =  (S',  Init,  E,  T)  be  the  semantics  of  Prog.  Then,  the  predicate  abstraction  of  Prog 
with  respect  to  V  is  denoted  by  ^Prog^v  and  defined  as  an  LTS  (S,  Init ,  E,  T)  where  (1) 

S  =  V(V)  :  the  states  are  the  valuations  of  V.  (2)  Init  =  { V  G  V(V)  \  V  lb  /},  (3)  E  =  E,  and 
(4)  T  is  defined  as  follows: 

VV,F7  G  V(P)  .Va  G  S.V^V'  <= =►  Llh  WF[7(F')]{a} 

Predicate  abstraction  enables  us  to  create  finite  LTS  abstractions  of  our  infinite  state 
programs.  More  importantly,  it  can  be  automated.  Given  Prog  and  V,  it  is  easy  to  construct 
§ Prog  from  the  definition  given  above.  In  order  to  check  for  consistency,  we  use  an 
automated  theorem  prover.  More  specifically,  suppose  we  want  to  check  if  V  lb  e.  Then,  in 
accordance  with  Definition  9,  we  check  for  the  validity  of  7 (V)  =>  ~^e  using  a  (sound)  theorem 
prover.  We  assume  -i( [V  lb  e)  iff  the  theorem  says  that  7(F)  =>■  -*e  is  valid. 

Generating  LTL  Witnesses.  We  now  present  an  algorithm  WitGen  for  constructing  a 
valid  witness  to  [Prog]  \=  Spec.  The  input  to  WitGen  is  (1)  a  set  of  predicates  V  such  that 
^Prog^v  |=  Spec  and  (2)  a  ranking  function  p  from  the  states  of  § Prog ^  <g>  Spec  to  a  finite 
set  of  ranks  R  that  obeys  conditions  RANK1  RANK3  given  in  Section  4.  We  defer  the 
question  as  to  how  such  a  set  of  predicates  V  and  ranking  function  p  may  be  constructed 
until  later.  The  output  of  WitGen  is  a  valid  witness  D.  The  following  theorem  conveys  the 
key  ideas  behind  our  algorithm. 
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Theorem  2  (Valid  Witness).  Let  Prog  =  (/,  C)  be  a  program,  Spec  =  (S,  Init,T,,T,  F)  be 
a  finite  specification  automaton  and  V  be  a  set  of  predicates  such  that  ffProgJ^’  \=  Spec.  Let 
^Prog^v  =  (V(P),  Init ,  E,  T).  Let  R  be  a  finite  set  of  integral  ranks  and  p  :  V(V)  x  S  — >  R  be 
a  ranking  function  that  obeys  conditions  RANK1— RANK3  given  in  Section  4 ■  Now 
consider  the  witness  :  S  x  R  — ►  Expr  defined  as  follows:  Pl(s,r)  =  M v-p(y  s)=r  7(C).  Then, 
Pi  is  a  valid  witness  to  [Prog]  |=  Spec. 


Proof.  It  suffices  to  show  that  Pi  satisfies  conditions  Cl— C4  given  in  Theorem  1.  We  first 
prove  Cl  by  contradiction.  Consider  any  s  G  S  and  r,r'  G  R  such  that  r  r'  and 
Pl(.s,  r)  A  Pl{s,  r')  is  satisfiable.  Now,  we  know  that 

VC  G  V(V) .  VC'  G  V(V) .  V  +  V'  =7  -(7(C)  A  7(C'))  (4.1) 

But  this  means  there  is  some  valuation  V  G  VifP)  such  that  p(V,  s)  =  r  r'  =  p(V,  s),  which 
is  a  contradiction.  This  completes  the  proof  of  Cl.  For  the  rest  of  the  proof,  we  note  that 
the  following  formula  is  valid: 

V  M(V)  (4.2) 

VeV(V) 

The  above  statement  holds  because  it  is  logically  equivalent  to  the  following  formula: 

f\  (p  v  -p)  (4.3) 

p&V 

To  prove  C2,  consider  any  s  G  Init  and  any  V  G  Init.  From  Definition  4,  we  know  that  (V,  s) 
is  an  initial  state  of  § Prog ]}P  <g>  Spec.  Since  p  satisfies  RANK1,  there  exists  r  G  R  such  that 
p(V,  s )  =  r.  Hence,  from  the  definition  of  Pi,  we  have 

V  7 (V)^\/ Pl(s,r)  (4.4) 

VGlnit  r£R 

Now,  from  the  definition  of  predicate  abstraction,  we  know  that  I  =7  —7(C)  for  each 
V  G  VifP)  \  Init.  Hence,  the  following  holds: 

V  l(V)  (4.5) 

VeV(T)\Init 

Also,  from  (2),  we  can  conclude  the  following: 

-  V  vOO^  V  700  (4.6) 

VeV(V)\Init  V&hUt 

From  (5)  and  (6),  we  know  that 

1^  V  7(C)  (4.7) 

V  G  Init 

Finally,  from  (4)  and  (7),  we  have 

I  ^  \J  Pl{s,r)  (4.8) 

rei?. 
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which  is  precisely  C2.  To  prove  C3,  consider  any  s  G  S  \F,  any  a  G  £,  any  r  €  R,  and  any 
V  such  that  /o(V,  s)  =  r.  From  the  definition  of  predicate  abstraction,  we  know  that,  for  each 
V'  G  V('P)  \  Succ(V,a),  the  following  holds: 

7(U)  =*.  nW[7(k')]{a}  (4.9) 

Using  Lemma  2,  for  each  V'  G  V('P)  \  Succ(V,  a),  we  have 

5P[7(U)]{a}  =►  ~q(V')  (4.10) 

Hence,  the  following  holds: 

V  7(v")  (4-ii) 

V'eV(V)\Succ(V,a) 

Also,  from  (2),  we  can  conclude 

V  7( ^ ')  =►  V  7(^)  (4.12) 

V'eeV{T)\Succ(V,a)  V'£Succ(V,a ) 

From  (11)  and  (12),  we  have 

SV[  7(U)]{a}  =>  \/  7(U')  (4.13) 

V'eSucc(V,a) 

Now  consider  any  s'  G  Succ(s,  a).  From  Definition  4,  we  know  that 

MV'  G  Succ(V,  a) .  (V,  -s)  (V7,  s')  is  a  transition  of  ([Prog]j-7:’  <g>  Spec  and  also  that  (V,  s)  is 

not  an  accepting  state  of  ^Prog\v  <S>  Spec.  Since  p  obeys  condition  RANK2,  we  know  that 
p(V' ,  s')  <  p(V,  s )  =  r.  Hence,  from  the  definition  of  H,  we  have 

i{V)=>  V  (4-14) 

r'<r 

Since  V'  is  an  arbitrary  element  of  Succ(V,a),  from  (14),  we  have 

V  7 (V')^  \/  n(s',r')  (4.15) 

V'eSucc(V,a )  r'<r 

From  (13)  and  (15),  we  have 

‘S'P['y{V)]{a}  =>-  Y  H(s',r')  (4.16) 

r'<r 

Since  U  is  any  valuation  such  that  p(V,  s)  =  r,  from  (16),  we  have 

V  SVMV)]{a}  ^  V  (4-17) 

V:p(V,s)=r  r'<r 

From  (17)  and  Lemma  1,  we  have 

SV[  \/  7(V)]W^  V  ^(SV)  (4‘18) 

V:p(V,s)=r  r'<r 
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Finally  from  (18)  and  the  definition  of  11.  we  have 

5F[0(s,r)]{a}^  \J  ft(s',r')  (4.19) 

r'<r 

which  is  precisely  C3.  The  proof  of  C4  is  very  similar  to  that  of  C3.  We  present  it  here  for 
the  sake  of  completeness.  Consider  any  sgF,  any  a  G  E,  any  r  G  R,  and  any  V  such  that 
p(V,  s )  =  r.  From  the  definition  of  predicate  abstraction,  we  know  that,  for  each 
V'  G  V(V)  \  Succ(V,a),  the  following  holds: 

7(U)  =>  -WV["i(V')\{a}  (4.20) 

Using  Lemma  2,  for  each  V'  G  V(V)  \  Succ(V,  a),  we  have 

SV[7(V)]{a}  =►  -l7(U/)  (4.21) 

Hence,  the  following  holds: 

5iP[7(U)]{a}^-  V  7(U')  (4.22) 

V',eV(P)\SiiCc(y,a) 

Also,  from  (2),  we  can  conclude 

V  7(0  ^  V  7(^0  (4-23) 

V'eeV{T)\Succ(V,a)  V'eSucc(V,a) 

From  (22)  and  (23),  we  have 

SP[7(U)]{a}  ^  V  7(V')  (4.24) 

V'€Succ(V,a) 

Now  consider  any  s'  G  Succ(s,  a).  From  Definition  4,  we  know  that 

W7  G  Succ(V,  a) .  (V,  s )  — >  (V7,  s')  is  a  transition  of  ([Pr0g]j-7:’  <g>  Spec  and  also  that  (V,  s)  is 
an  accepting  state  of  •{[Prog]}^’  <g>  Spec.  Since  p  obeys  condition  RANK3,  we  know  that 
p(V',  s')  <  p(V,  s)  =  r.  Hence,  from  the  definition  of  H,  we  have 

7(U')^  \/  n(s',r')  (4.25) 

r'<r 

Since  U'  is  an  arbitrary  element  of  Succ(V,a ),  from  (25),  we  have 

V  7<y')  ^  V  (4-26) 

y/G-S'itcc(V,o:)  r'<r* 

From  (24)  and  (26),  we  have 

SV[7(V)]{a}^  \/  H(s',r')  (4.27) 

r'<r 

Since  V  is  any  valuation  such  that  p(V,  s)  =  r,  from  (27),  we  have 

V  SV[7(V)]{a}^  V  (4-28) 

V:p(V,s)=r  r’<r 
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From  (28)  and  Lemma  1,  we  have 


sv[  \/  V  (4-29) 

V:p(V,s)=r  r'<r 

Finally,  from  (29)  and  the  definition  of  14,  we  have 

SV[n(s,r)}{a}  ^  \f  I4(s',r')  (4.30) 

r'<r 

which  is  precisely  C4.  This  completes  the  proof.  □ 


Getting  Predicates  and  Ranking  Functions.  Theorem  2  immediately  leads  to  an 
algorithm  WitGen  to  construct  a  valid  witness  14  to  Prog  |=  Spec.  However,  WitGen 
requires  as  input  an  appropriate  set  of  predicates  V  such  that  § Prog\v  j=  Spec ,  as  well  as  a 
ranking  function  p  satisfying  the  conditions  mentioned  in  Theorem  2.  A  suitable  V  may  be 
constructed  by  combining  predicate  abstraction  with  CEGAR.  More  specifically,  starting 
with  an  initially  empty  V,  we  use  the  following  iterative  procedure: 

1.  Construct  ^Prog^v . 

2.  Check  if  § Prog  |=  Spec.  If  so,  we  are  done.  Otherwise,  we  obtain  a 
counterexample  CE  to  ^Prog^v  |=  Spec. 

3.  Check  if  CE  is  a  valid  counterexample.  If  so,  then  Prog  \/=  Spec.  Hence,  no 
suitable  V  exists,  and  we  exit  unsuccessfully. 

4.  Otherwise,  we  construct  a  new  set  of  predicates  V  such  that  V  eliminates 
CE  and  then  go  back  to  Step  1. 

Full  details  of  such  a  procedure  can  be  found  elsewhere  [Chaki  04b] .  Due  to  the  fundamental 
undecidability  of  the  problem,  such  an  approach  is  not  always  guaranteed  to  terminate. 
However,  CEGAR-based  techniques  have  been  reported  to  be  quite 
successful  [Ball  01,  Henzinger  02b,  Chaki  04a]  in  software  verification  in  recent  times. 

Generating  the  Ranking  Function.  Once  an  appropriate  set  of  predicates  V  has  been 
found  by  the  above  procedure,  we  have  to  construct  a  ranking  function  p.  More  precisely, 
suppose  that  ^Prog^v  =  (V(V),  Init,  E,  T)  and  Spec  =  (S,  Init ,  E,  T,  F).  Then,  we  have  to 
construct  (1)  a  finite  set  of  integral  ranks  R  and  (2)  a  ranking  function  p  :  V(V)  x  S  — >  R 
that  obeys  conditions  RANK1— RANK3  given  in  Section  4.  We  now  give  an  algorithm  to 
achieve  these  two  goals. 

Let  us  denote  ^Prog^v  <8>  Spec  by  M®  and  let  M®  =  (S®,  Init®,  E,  T®,  F®).  Without  loss  of 
generality,  we  assume  that  both  S®  and  F®  only  contain  the  states  of  M®  that  are  reachable 
from  Init®  via  the  transition  relation.  Our  ranking  function  is  defined  on  only  S®,  and 
undefined  for  unreachable  states  of  M®. 

First,  we  note  that  M®  can  be  viewed  as  a  directed  graph  G®  =  ( N ,  E )  such  that 
( N  =  S®)  /\(E  =  {(s,  s')  |  3a  6  E  .  s  s'}).  Given  any  two  nodes  s  and  s',  we  say  that 

s  s'  iff  there  is  a  path  from  s  to  s'  in  G.  In  other  words,  s  ^  s'  iff  there  exists  a  finite 
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Figure  1:  Example  Graph  G  and  Induced  Directed  Acyclic  Graph  Gscc 


non-empty  sequence  of  states  si,  S2,  ■  ■  ■ ,  Sk  such  that 

(s  =  si)  A(s'  =  Sk)  A (V*  G  {1, . . . ,  k  —  1}  .  ( Si ,  «i+i)  G  E).  A  strongly  connected  component 
(SCC)  of  G®  is  a  set  of  nodes  ICJV  such  that  Vs  G  X  .  \/s'  €  X  .  s  s'.  A  node  of  G®  that 
does  not  belong  to  any  SCC  is  called  a  finitary  node.  It  is  evident  that  a  node  n  is  Unitary  iff 
for  every  run  x  of  M®  we  have  n  0  Inf(x).  We  also  know  that  § Prog  |=  Spec  and  hence 
£(M®)  =  0.  This  means  that  every  accepting  state  s  G  F®  must  be  finitary. 

It  is  also  well-known  that  every  directed  graph  G  induces  a  directed  acyclic  graph  Gscc .  The 
nodes  of  Gscc  are  the  maximal  strongly  connected  components  and  the  finitary  nodes  of  G, 
while  its  edges  are  induced  by  those  of  G.  Let  G®cc  be  the  directed  acyclic  graph  induced  by 
G®.  Let  O  =  (ni,ri2,  •  • .  ,nk)  be  a  topological  ordering  of  the  nodes  of  G^cc  such  that  if 
nt  -w  nj,  then  rij  appears  before  n*  in  O.  We  now  fix  our  set  of  ranks  R  to  be  {1,2, . . .  ,k} 
where  k  =  \0\.  We  first  define  a  ranking  function  pscc  for  the  nodes  of  G^cc  as  follows: 
pSCC  (n)  =  {  iff  n  =  nj  according  to  the  ordering  O.  We  then  use  pscc  to  define  a  ranking 
function  p  for  G®  as  follows: 

•  If  n  is  a  finitary  node,  it  is  also  a  node  of  G^cc .  Then  p(n)  =  pscc(n). 

•  Otherwise  n  belongs  to  an  unique  maximal  SCC  nscc ,  which  is  a  node  of 
G^cc .  In  this  case,  p(n)  =  pscc (nscc). 

As  an  example,  Figure  1  shows  a  G  on  the  left  and  the  induced  Gscc  on  the  right.  Each 
node  of  G  is  labeled  by  its  rank  inferred  from  a  particular  topological  ordering. 

We  now  show  that  p  satisfies  conditions  RANK1— RANK3  given  in  Section  4.  Condition 
RANK1  holds  because  /nit®  C  5®  =  Domain(p).  For  condition  RANK2,  consider  any 
transition  s  s'  of  M®  such  that  s  0  F®.  Now,  since  s  s',  we  have  p(s)  >  p(s'),  which  is 
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precisely  RANK2.  For  condition  RANK3,  consider  any  transition  s  -—>■  s'  of  such  that 
s  G  F/g,.  Recall  that  in  this  case,  s  must  be  a  finitary  node.  Hence  p(s)  /  p(s').  Since  s  s', 
we  have  p(s)  >  p(s' ),  which  is  precisely  RANK3. 

The  use  of  ranking  functions  for  proofs  of  liveness  properties  is  well  studied,  and  ours  is  but 
another  instance  of  this  methodology.  The  use,  and  limitations,  of  CEGAR  for  generating 
appropriate  predicates  are  orthogonal  to  the  witness  construction  procedure.  In  practice,  any 
oracle  capable  of  providing  a  suitable  set  of  predicates  can  be  substituted  for  CEGAR.  For 
instance,  some  of  the  predicates  can  be  supplied  manually,  and  the  remaining  predicates  may 
be  constructed  automatically. 
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5  SAT-Based  Certificates 


Suppose  we  are  given  a  program  Prog ,  a  specification  Spec ,  and  a  candidate  witness  17.  We 
wish  to  check  the  validity  of  17.  To  this  end,  we  construct  the  verification  condition 
VC  =  VC  (Prog,  Spec,Vt )  and  prove  that  VC  is  valid.  One  way  to  achieve  this  goal  is  to  pass 
VC  as  a  query  to  an  existing  proof-generating  automated  theorem  prover  such  as  CVC  or 
VAMPYRE.  However,  there  are  at  least  two  shortcomings  to  this  approach. 

First,  most  theorem  provers  treat  integers,  as  well  as  operations  on  integers,  in  a  manner  that 
is  incompatible  with  the  semantics  of  our  programming  language.  For  example,  our  language 
defines  integers  to  be  32- bit  vectors,  and  operations  such  as  addition  and  multiplication  are 
defined  in  accordance  with  two’s-complement  arithmetic.  In  contrast,  for  most  theorem 
provers,  integers  have  an  infinite  domain,  and  the  operations  on  them  are  the  ones  we  learned 
in  primary  school.  An  important  consequence  of  this  discrepancy  is  that  certificates 
generated  by  conventional  theorem  provers  may  be  untrustworthy  for  our  purposes.  For 
example,  the  following  verification  condition  is  declared  valid  by  most  conventional  theorem 
provers,  including  CVC  and  vampyre:  V.x  .  (x  +  1)  >  x.  However,  that  statement  is  actually 
invalid  according  to  our  language  semantics  due  to  the  possibility  of  overflow. 

In  addition,  the  proofs  generated  by  such  theorem  provers  are  usually  quite  large  (see 
Figure  3).  We  propose  the  use  of  a  SAT-based  proof-generating  decision  procedure  to 
overcome  both  hurdles.  Recall  that  the  verification  conditions  we  are  required  to  prove  are 
essentially  expressions.  Given  a  verification  condition  VC,  we  check  its  validity  as  follows: 

1.  We  translate  VC  to  a  SAT  formula  $  in  conjunctive  normal  form  such  that 
VC  is  valid  iff  $  is  unsatisfiable.  In  essence,  represents  the  negation  of 
VC. 

2.  We  check  for  the  satisfiability  of  $  using  a  SAT  solver.  If  $  is  found  to  be 
satisfiable,  VC  is  invalid.  Otherwise,  $  is  unsatisfiable,  and  therefore  VC 
is  valid.  In  such  a  case,  our  SAT  solver  also  emits  a  resolution2  proof  P 
that  refutes  $.  We  use  P  as  the  proof  of  validity  of  VC. 

In  our  implementation,  we  use  the  CPROVER  [Kroening  02]  tool  to  perform  Step  1  above. 

Step  2  is  performed  by  the  state-of-the-art  SAT  solver  zchaff  [Moskewicz  01],  which  is 
capable  of  generating  resolution-based  refutation  proofs  [Zhang  03] .  The  zchaff  distribution 
also  comes  with  a  proof  checker,  which  we  use  to  verify  the  correctness  of  the  proofs  emitted 
by  zchaff  as  a  sanity  check.  We  discuss  our  experimental  results  in  detail  in  Section  7.  We 
note  here  that,  in  almost  all  cases,  SAT-based  proofs  are  over  100  times  (in  one  case,  over  105 
times)  more  compact  than  those  generated  by  CVC  and  VAMPYRE.  Of  course,  our  proofs  are 
additionally  faithful  to  the  semantics  of  our  programming  language. 

It  is  important  to  understand  how  our  approach  addresses  the  two  shortcomings  of 
conventional  theorem  provers  presented  at  the  beginning  of  this  section.  The  first  problem 
regarding  language  semantics  is  handled  by  the  translation  from  VC  to  $  in  Step  1  above. 


2  Resolution  is  a  sound  and  complete  inference  rule  for  refuting  propositional  formulas. 
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Of  course,  the  translator  itself  now  becomes  part  of  our  trusted  computing  base.  However,  we 
believe  that  such  a  decision  is  amply  justified  by  the  resulting  benefits. 

The  second  difficulty  with  large  proof  sizes  is  mitigated  by  the  fact  that  a  $  generated  from 
real-life  programs  and  specifications  often  has  an  extremely  compact  resolution  refutation. 
Intuitively,  if  a  program  is  correct,  it  is  usually  so  because  of  some  simple  reason.  In  practice, 
this  simple  reason  for  correctness  results  in  having  a  much  smaller  unsatisfiable  core  C .  In 
essence,  C  is  a  subset  of  the  clauses  in  that  is  itself  unsatisfiable.  Since  $  is  in  CNF  form, 
it  is  possible  to  refute  $  by  simply  refuting  C.  State-of-the-art  SAT  solvers,  such  as  zchaff, 
leverage  this  idea  by  first  computing  a  small  unsatisfiable  core  of  the  target  formula  and  then 
generating  a  refutation  for  only  the  core.  Section  7  contains  more  details  about  the  kind  of 
compression  we  are  typically  able  to  obtain  by  using  the  unsatisfiable  core. 

Finally,  we  note  that  the  use  of  SAT  guarantees  trustworthiness  of  the  generated  certificate, 
even  if  we  use  a  non-SAT-based  theorem  prover,  such  as  SIMPLIFY  [Nelson  80],  for  predicate 
abstraction.  The  trustworthiness  of  the  generated  certificate  enables  us  to  use  fast,  but 
potentially  unfaithful,  theorem  provers  during  the  verification  stage  and  still  remain  faithful 
to  C  semantics  as  far  as  certification  is  concerned. 
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6  Simulation 


While  LTL  allows  us  to  reason  about  both  safety  and  liveness  properties,  it  is  nevertheless 
restricted  to  a  purely  linear  notion  of  time.  Simulation  enables  us  to  reason  about  the 
branching  time  properties  of  programs,  since  it  preserves  all  specifications  in  the  ACTL* 
temporal  logic. 


Definition  11  (Simulation).  Let  M\  =  (S\,Init i,X,Ti)  and  M2  =  (S2,  Init2,  £,  T2)  be  two 
LTSs.  Note  that  M \  and  M2  have  the  same  alphabet.  A  relation  TZ  C  Si  x  S2  is  said  to  be  a 
simulation  relation  if  it  satisfies  the  following  condition:  (SIM)  Vsi  G  Si  .  V.s;  G  Si  .  Vs2  G 
S2  ■  Va  G  £  .  (si,  s2)  G  TZ  A  si  s[  3s'2  G  <52  .  s2  s'2  A  (s;,  s'2)  G  7?..  We  sag  that  M\  is 
simulated  by  M2  and  denote  this  by  Mi  =4  M2,  iff  there  exists  a  simulation  relation 
TZ  C  Si  x  S2  such  that  Vsi  G  Init\  .  3s2  G  /mf2  .  (si,  s2)  G  7?.. 


Simulation  Witness.  We  are  now  ready  to  present  the  formal  notion  of  a  proof  of 
Prog  ^  Spec.  Such  a  proof  essentially  encodes  a  simulation  relation  between  Prog  and  Spec. 
The  idea  is  to  use  a  mapping  17  from  states  of  Spec  to  expressions  such  that  for  any  state  s  of 
Spec ,  17(s)  is  satisfied  by  those  states  of  Prog  that  are  simulated  by  Spec.  We  now  state  this 
formally. 


Theorem  3  (Simulation  Witness).  Let  Prog  =  (7,(7)  be  a  program  and 

Spec  =  ( S ,  Init ,  S,  T)  be  a  finite  LTS.  Suppose  that  there  exists  a  function  17  :  S  — >  Expr  that 

satisfies  the  following  two  conditions:  (Dl)  I  =$■  V s^imt  an d  (D2) 

Vs  G  S  .  Va  G  S  .  cvP[S7(s)]{a}  =>•  Vs'eS«cc(s  a)  71(s')-  Then,  [Prog]  ^  Spec,  and  we  say  that  17 
is  a  witness  to  [Prog]  ^  Spec. 

Proof.  Recall  that  the  states  of  [Prog]  are  stores.  Consider  the  relation  1Z  C  Sto  x  S  defined 
as  follows  :  (a,  s)  G  TZ  a  |=  17(s).  We  first  show  that  (GOAL1)  TZ  is  a  simulation 
relation  by  proving  that  TZ  satisfies  condition  (SIM)  from  Definition  11. 

1.  Let  (i)  (<7,  s)  G  TZ  and  (ii)  a  —>  a' . 

2.  From  l(i)  and  the  definition  of  TZ,  we  know  that  a  |=  17(s). 

3.  From  1  (ii) ,  2,  and  Fact  1,  we  know  that  a'  |=  5P[17(s)]{a}. 

4.  From  3  and  condition  D2,  we  know  that 

3s/  G  Succ(s ,  a)  .  a'  |=  17(s/) 

5.  From  4  and  the  definition  of  TZ,  we  have  (ex7,  s;)  G  TZ.  This  completes  the 
proof  of  GOAL1. 
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Next,  we  prove  that  (GOAL2)  for  every  initial  state  a  of  [-Prog] ,  there  is  an  initial  state  s  of 
Spec  such  that  (a.  s)  £  7 Z.  From  the  definition  of  program  semantics,  we  know  that  a  |=  I. 
Then,  from  condition  (Dl)  above,  we  know  that  3s  £  Init .  a  |=  Pl(s).  Therefore,  from  the 
definition  of  7 Z,  we  have  ( a ,  s)  £  7Z.  This  completes  the  proof  of  GOAL2.  Finally,  from 
GOAL1,  GOAL2,  and  Definition  11,  we  conclude  that  [Prog]  ^  Spec. 

□ 


Suppose  we  are  given  Prog ,  Spec  =  ( S ,  Init,  S,  T)  and  a  candidate  witness  77  Since  both  S 
and  S  are  finite,  it  is  straightforward  to  generate  a  formula  equivalent  to  the  conditions 
Dl— D2  enumerated  in  Theorem  3.  We  call  such  a  formula  our  verification  condition  and 
denote  it  by  VC  {Prog,  Spec,  fi).  In  essence,  on  account  of  Theorem  3,  a  valid  proof  of 
VC  (Prog,  Spec, Pi)  is  also  a  valid  proof  of  Prog  =4  Spec. 

Generating  Simulation  Witnesses.  We  now  present  an  algorithm  WitGenSimul  for 
constructing  a  valid  witness  to  [Prog]  =<!  Spec.  The  input  to  WitGenSimul  is  a  set  of 
predicates  V  such  that  § Prog  ^  Spec  and  a  simulation  relation  7 Z  between  the  states  of 
^Prog^v  and  the  states  of  Spec.  We  defer  the  question  as  to  how  such  a  set  of  predicates  V 
and  simulation  relation  7 Z  may  be  constructed  until  later.  The  output  of  WitGenSimul  is  a 
valid  witness  Pi.  The  following  theorem  conveys  the  key  ideas  behind  our  algorithm. 

Theorem  4  (Valid  Witness).  Let  Prog  =  (7,(7)  be  a  program,  Spec  =  (S,  Init,T,,T)  be  a 

finite  LTS,  and  V  be  a  set  of  predicates  such  that  ^Prog^v  p.  Spec.  Let 

t^ProgfjV  =  (V(P),  Init,  S,  T)  and  1Z  C  V(V)  x  S  be  a  simulation  relation  such  that 

(Al)  MV  £  Init .  3s  £  Init .  (V,  s)  £  7 Z.  Let  us  also  define  a  function  8  :  S  — ►  2V77  as  follows: 

(A2)  Ms  £  S .  9(s)  =  {V  |  (V,  s)  £  7Z}.  Now,  consider  the  witness  f 1  :  S  Expr  defined  as 

follows:  (A3)  Ms  £  S.Pl(s)  =  \/y€0^j(V).  Then,  Pi  is  a  valid  witness  to  [Prog]  =<!  Spec. 

Proof.  Clearly,  the  following  formula  is  valid: 

V  T{V)  (6.1) 

V&V(V) 

This  is  because  (1)  is  equivalent  to  the  following  formula: 

A  (p  V  -np)  (6.2) 

p&V 

First,  we  show  that  condition  Dl  of  Theorem  3  holds.  From  Al,  A2,  and  A3  above,  we 
conclude  that  the  following  is  valid: 

V  V  (6-3) 

V  £  Init  sGlnit 

Now,  from  the  definition  of  predicate  abstraction,  we  know  that  7  =>  -17 ( V )  for  each 
V  £  V(V)  \  Init.  Hence,  the  following  holds: 

7^-  V  700  (6-4) 

vev(T)\mt 


CMU/SEI-2006-TN-004 


21 


Also,  from  (1),  we  can  conclude  the  following: 


-  V  7(*o=s-  V  i(y) 

(6.5) 

VeV(V)\Init  V&hvit 

From  (4)  and  (5),  we  know  that 

V  7(V) 

(6.6) 

V  G  Init 

Finally,  from  (3)  and  (6),  we  have 

1^  V  H(S) 

(6.7) 

s£lnit 


which  is  precisely  Dl.  We  now  show  that  condition  D2  of  Theorem  3  holds.  Consider  any 
state  s£S,  any  V  £  0(.s),  and  any  a  £  E.  From  the  definition  of  predicate  abstraction,  we 
know  that,  for  each  V'  £  V(V)  \  Succ(V,  a),  the  following  holds: 

7(U)  =*  ->WP[y(V')]{a}  (6.8) 

Using  Lemma  2,  for  each  V'  £  V('P)  \  Succ(V \  a),  we  have 

SV[^{V)}{a}  =7  -7(U')  (6.9) 

Hence,  the  following  holds: 

SU[7(U)]{a}^  V  7(^')  (6-10) 

V’eV(V)\Succ{V,a) 

Also,  from  (1),  we  can  conclude 

V  7(’ ^ ')  =>  V  W)  (6-H) 

V'eeV(V)\Succ(V,a)  V'eSucc(V,a) 

From  (10)  and  (11),  we  have 

5U[7(U)]{a}  =7  \/  7(^)  (6.12) 

V’eSucc(V,a) 

Since  (U,  s)  £  1Z  and  TZ  is  a  simulation  relation,  we  have 

Succ(V,a)  C  |^J  0(,s,/)  (6.13) 

s'G5ucc(s,a) 

Hence,  from  (12)  and  (13),  we  know  that 

SP[7(U)]{a}^  V  V  7(U/)  (6.14) 

s'£Succ(s,a)  V'EO(s') 

From  (14)  and  the  definition  of  H,  we  have 

SV[7(V)]{a}  =7  \/  fi(s')  (6.15) 

s'  GSucc(s,a) 
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Since  V  is  any  element  of  0(s),  from  (15),  we  have 

V  SV(7(V)}{a}^  V  fi(s')  (6.16) 

VeO(s)  s'  £Succ(s,a) 

From  (16)  and  Lemma  1,  we  have 

SV[  \/  7(^)]{«}^  V  n(s')  (6‘17) 

V£0(s)  s'  £Succ(s,a) 

Again,  from  (17)  and  the  definition  of  Q,  we  have 

SP[H(s)]{a}  =►  \J  fi(s')  (6.18) 

s'ESucc(s,a) 

which  is  precisely  D2.  This  completes  our  proof.  □ 


Getting  Simulation  Predicates.  Theorem  4  immediately  leads  to  an  algorithm 
WitGenSimul  to  construct  a  valid  witness  f 1  to  Prog  =4  Spec.  However,  WitGenSimul 
requires  as  input  an  appropriate  set  of  predicates  V  such  that  ^Prog^v  p  Spec.  As  in  the 
case  of  LTL  model  checking,  such  a  V  may  be  constructed  by  combining  predicate 
abstraction  with  CEGAR.  More  specifically,  starting  with  an  initially  empty  V,  we  use  the 
following  iterative  procedure: 

1.  Construct  ^Prog^v . 

2.  Check  if  § Prog  Spec.  If  so,  we  are  done.  Otherwise,  we  obtain  a 

counterexample  CE  to  ^Prog^v  p.  Spec. 

3.  Check  if  CE  is  a  valid  counterexample.  If  so,  then  Prog  ^  Spec.  Hence,  no 
suitable  V  exists,  and  we  exit  unsuccessfully. 

4.  Otherwise,  we  construct  a  new  set  of  predicates  V  such  that  V  eliminates 
CE  and  then  go  back  to  Step  1. 

Full  details  of  such  a  procedure  can  be  found  elsewhere  [Chaki  05a].  As  in  the  case  of  LTL, 
due  to  the  fundamental  undecidability  of  the  problem,  such  an  approach  is  not  always 
guaranteed  to  terminate  but  has  been  found  to  be  quite  effective  in  practice. 

Witness  Minimization.  It  is  clear  from  Theorem  4  that  the  size  of  witnesses  and  proofs 
generated  by  WitGenSimul  is  directly  related  to  the  size  of  the  simulation  relation  1Z 
between  \Prog^  and  Spec.  In  this  section,  we  describe  an  algorithm  to  construct  a  minimal 
simulation  relation  between  two  finite  LTSs,  if  such  a  relation  exists.  Clearly,  such  an 
algorithm  can  be  used  to  construct  an  7 Z  of  minimal  size,  which  would,  in  turn,  lead  to  a 
witness  H  of  small  size. 

Our  algorithm  relies  on  a  well-known  technique  [Chaki  04a]  to  check  for  simulation  between 
finite  LTSs  using  satisfiability  for  weakly  negated  HORNSAT  formulas.  More  specifically, 
suppose  we  are  given  two  finite  LTSs  M\  =  (Si,  Init\ ,  E,  T{)  and  M2  =  (S2,  Init2,  S,  T2). 
Then,  we  can  construct  a  propositional  CNF  formula  \k  such  that  the  set  of  variables 
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appearing  in  'L  is  Si  x  £2.  Intuitively,  a  variable  (si,S2)  stands  for  the  proposition  that  state 
si  can  be  simulated  by  state  S2- 

The  clauses  of  'F  encode  constraints  imposed  by  a  simulation  relation  and  are  constructed  as 
follows.  For  each  si  6  Si,  each  S2  £  S2,  each  a  £  E,  and  each  .s}  £  Succ(s  1,  a),  we  add  the 
following  clause  to  'h:  (si,S2)  =$■  V s'  eSucc(s2  a)(si>s2)-  Intuitively,  the  above  clause  expresses 
the  requirement  that  for  S2  to  simulate  s  \ ,  at  least  one  a-successor  of  S2  must  simulate  s/1 . 
Also,  for  each  si  £  Init\ ,  we  add  the  following  clause  to  'h:  \J S2&Init2{s\,  52).  These  clauses 
assert  that  every  initial  state  of  M \  must  be  simulated  by  some  initial  state  of  M2.  Now,  'F 
has  the  following  simple  property.  Let  X  be  any  satisfying  assignment  of  \F,  and  for  any 
variable  v  =  (si,  S2),  let  us  write  X(si,  S2)  to  mean  the  Boolean  value  assigned  to  v  by  X. 
Then,  the  relation  1Z  =  {(si,S2)  I  A”(si,S2)  =  true}  is  a  simulation  relation  between  M\  and 
M2. 

Therefore,  we  can  construct  a  minimal  simulation  between  M\  and  M2  by  constructing  'F 
and  then  looking  for  a  satisfying  assignment  X  such  that  the  number  of  variables  assigned 
true  by  X  is  as  small  as  possible.  This  task  can  be  achieved  by  using  a  solver  for 
pseudo-Boolean  formulas  [Aloul  02],  A  pseudo-Boolean  formula  is  essentially  a  propositional 
formula  coupled  with  an  arithmetic  constraint  over  the  propositional  variables  (where  TRUE 
is  treated  as  one  and  FALSE  as  zero).  More  specifically,  recall  that  the  set  of  variables  of  'F  is 
£1  x  £2-  We  thus  solve  for  'll  along  with  the  constraint  that  the  following  sum  be  minimized: 
^  =  X^eSixS2  s ■  We  then  construct  a  minimal  simulation  relation  using  any  satisfying 
assignment  to  'F  that  also  minimizes  T. 

Hardness  of  Finding  Minimal  Simulation  Relations.  One  may  complain  that  solving 
pseudo-Boolean  formula  satisfiability  (an  NP-complete  problem)  to  verify  simulation  (for 
which  polynomial  time  algorithms  exist)  is  overkill.  However,  the  use  of  a  pseudo-Boolean 
solver  is  justified  by  the  fact  that  finding  a  minimal  simulation  between  two  finite  LTSs  is 
actually  an  NP-hard  problem. 

We  now  prove  this  claim  by  reducing  subgraph  isomorphism,  a  well-known  NP-complete 
problem,  to  the  problem  of  finding  a  minimal  simulation  relation  between  two  LTSs.  In  the 
rest  of  this  section,  whenever  we  mention  a  simulation  relation  between  the  LTSs  M\  and  M2, 
we  also  tacitly  assume  that  every  initial  state  of  M \  is  simulated  by  some  initial  state  of  M2. 


Definition  12  (Graph).  An  undirected  graph  is  a  pair  (V ,  E)  where  V  is  a  set  of  vertices 
and  E  C  V  x  V  is  a  symmetric  irreflexive  relation  denoting  edges. 


Definition  13  (Subgraph  Isomorphism).  Given  two  graphs  G\  =  (V\,E\)  and 

G2  =  (V2,  E2)  such  that  \  Vi\  <  \  V2I,  we  say  that  G\  is  subgraph  isomorphic  to  G2  iff  there 

exists  an  injection  p  :  V\  —>  V2  that  obeys  the  following  condition: 

\/v  £  V\  .\/v'  £  V\  .  (v,vr)  £  Ei  (p(v),p(vr))  £  E2. 


Note  that  we  do  not  allow  self-loops  in  graphs.  It  is  well-known  that,  given  two  arbitrary 
graphs  G\  and  G2,  the  problem  of  deciding  whether  G\  is  subgraph  isomorphic  to  G2  is 
NP-complete.  We  now  show  that  this  problem  has  a  log-space  reduction  to  the  problem  of 
finding  a  minimal  simulation  relation  between  two  LTSs.  In  essence,  from  G 1  and  (£2,  we 
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Figure  2:  Example  Graphs  and  LTSs  Constructed  from  Them 


construct  the  LTSs  M\  and  M2  such  that  G 1  is  subgraph  isomorphic  to  G2  iff  a  minimal 
simulation  relation  between  M\  and  M2  has  the  same  size  as  G\ . 

Recall  that  G\  =  (Vi,E{).  We  construct  Mi  =  (<Si,  Init\,  £,  Ti)  as  follows:  (1)  the  states  of 
Mi  are  exactly  the  vertices  of  V\ ,  i.e. ,  Si  =  V±,  (2)  all  states  of  Mi  are  initial  (i.e. , 

Init  1  =  Si),  (3)  Mi  has  two  actions  a  and  b  (i.e.,  £  =  {a,  6}),  and  (4)  the  transitions  T\  of 
Mi  are  set  up  as  follows:  (1)  for  each  ( v ,  v ')  £  E\  we  add  v  v'  and  v'  v  to  T\  and  (2) 

for  each  (v,vr)  fL  E\  we  add  v  v1  and  v1  — v  to  T\.  The  LTS  M2  is  constructed  from 
graph  G2  in  an  analogous  manner.  As  an  example,  Figure  2  shows  two  graphs  G 1  and  G 2,  as 
well  as  the  LTSs  M\  and  M2  constructed  from  them.  A  bidirectional  arrow  between  two 
states  (of  Mi  or  M2)  represents  a  pair  of  transitions — one  from  each  state  to  the  other.  Note 
that  Mi  and  M2  can  be  constructed  using  logarithmic  additional  space.  Now  our 
NP-hardness  reduction  is  completed  by  the  following  theorem. 


Theorem  5  (Reduction).  Let  n  be  the  number  of  states  of  Mi  (i.e.,  n  =  |S'i|y).  Then,  G\ 
is  subgraph  isomorphic  to  G2  iff  a  minimal  simulation  relation  between  M\  and  M2  has  n 
elements. 


Proof.  Let  1Z  be  any  minimal  simulation  relation  between  M\  and  M2.  First,  note  that  since 
every  state  of  M\  is  initial,  1Z  must  have  at  least  n  elements.  To  prove  the  forward 
implication,  assume  that  G\  is  subgraph  isomorphic  to  G 2,  and  let  p  be  a  function  satisfying 
the  condition  of  Definition  13.  Then,  the  following  relation  TZ  is  clearly  a  minimal  simulation 
relation,  since  it  has  exactly  n  elements: 

TZ  =  {(v,p(v))  |  v  e  Si} 

To  prove  the  reverse  implication,  suppose  that  TZ  is  a  minimal  simulation  relation  between 
Mi  and  M2  containing  n  elements.  Since  each  of  the  n  states  of  Mi  must  be  simulated,  TZ 
must  relate  each  state  of  Mi  to  a  unique  state  of  M2.  Now,  consider  the  function 
p  :  Si  — >  S2,  which  is  defined  as  follows: 

p(yi)  =  unique  V2  £  S2  such  that  (vi,V2)  £  TZ 
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We  show  that  fi  satisfies  the  criterion  in  Definition  13  as  follows: 


(v,v')  v'  =>  n(v )  /r(V)  (n(v),  n(v'))  E  E-2 

(v,v')  g  Ei  ^  v  -^v'  ^  n{v)  /r(u')  =*>  (n(v),n(v'))  0  E-2 

Now,  we  must  show  that  /i  is  an  injection.  Suppose  that  /i  was  not  an  injection.  In  that  case, 
we  have  two  elements  v\  and  v\  of  V\  such  that  n(vi)  =  /j(uj)  =  V2,  let’s  say.  But  then,  M2 
must  contain  at  least  one  of  the  following  two  transitions:  V2  V2  or  V2  V2 ■  This  is 
clearly  impossible,  and  it  also  completes  our  proof.  □ 
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7  Experimental  Results 


We  implemented  our  techniques  in  ComFoRT  [Chaki  05b]  and  experimented  with  a  set  of 
Linux  and  Windows  NT  device  drivers,  OpenSSL,  and  the  Micro-C  operating  system.  All  our 
experiments  were  carried  out  on  a  dual  Intel  Xeon  2.4  GHz  machine  with  4  GB  RAM  running 
Redhat  9.  Our  results  are  summarized  in  Figure  3,  which  obeys  the  following  convention. 


Name 

LOC 

CVC 

VAMPYRE 

SAT 

Cert. 

Core 

Improve 

ide.c  (safe) 

7428 

80720 

X 

100 

703 

>2000 

807 

ide.c  (live) 

7428 

82653 

X 

100 

1319 

>2000 

827 

tlan.c  (safe) 

6523 

11145980 

X 

517 

4663 

>200 

21559 

tlan.c  (live) 

6523 

90155057 

X 

572 

74281 

>200 

157614 

ahal52x.c  (safe) 

10069 

247435 

X 

210 

2102 

>1500 

1178 

ahal52x.c  (live) 

10069 

247718 

X 

210 

3968 

>1500 

1180 

synclink.c  (safe) 

17104 

9822 

X 

53 

185 

>500 

185 

synclink.c  (live) 

17104 

9862 

X 

53 

327 

>500 

186 

hooks. c  (safe) 

30923 

597642 

X 

369 

2004 

>1500 

1629 

hooks. c  (live) 

30923 

601175 

X 

368 

3102 

>1500 

1624 

cdaudio.c  (safe) 

17798 

248915 

156787* 

209 

2006 

>1000 

750 

diskperf.c  (safe) 

4824 

117172 

X 

106 

955 

>2500 

1105 

floppy.c  (safe) 

17386 

451085 

60129* 

318 

2595 

>3000 

189 

kbfiltr.c  (safe) 

12131 

56682 

7619* 

51 

528 

>2500 

149 

parclass.c  (safe) 

26623 

460973 

X 

262 

2156 

>4500 

1759 

parport.c  (safe) 

61781 

2278120 

102967* 

529 

3568 

>5000 

195 

SSL-srvr  (simul) 

2483 

1287290 

19916 

261 

1055 

>150 

76 

SSL-clnt  (simul) 

2484 

189401 

27189 

155 

740 

>200 

175 

Micro-C  (safe) 

6272 

416930 

118162 

262 

2694 

>5500 

451 

Micro-C  (live) 

6272 

435450 

X 

263 

7571 

>5500 

1656 

Figure  3:  Comparison  of  cvc,  vampyre,  and  SAT-Based  Proof  Generation 


The  symbol  x  indicates  that  results  are  not  available.  Best  figures  appear  in  boldface.  The 
LOC  column  contains  lines  of  code.  The  CVC,  vampyre,  and  SAT  columns  refer  to  proof 
sizes  in  bytes  (after  compressing  with  the  gzip  utility)  obtained  with  CVC,  vampyre,  and 
SAT,  respectively.  The  CVC  statistics  were  obtained  via  ComFoRT.  The  blast  statistics 
were  obtained  using  either  Version  2.0  of  blast  or  an  existing  publication  (indicated  by  an 
asterisk  [*]).  The  Cert  column  mentions  the  gzipped  certificate  (i.e.,  witness  +  proof  of  the 
verification  condition)  size  with  SAT.  The  Core  column  contains  the  factors  by  which  the 
unsatisfiable  core  is  smaller  than  the  original  SAT  formula.  Finally,  the  Improve  column 
refers  to  factors  by  which  SAT-based  proofs  are  smaller  than  the  nearest  other  proofs. 

The  Linux  device  drivers  were  obtained  from  kernel  2.6.11.10.  We  checked  that  the  drivers 
obey  the  following  conventions  with  spin_lock  and  spinmnlock:  (1)  locks  must  be  acquired 
and  released  alternately  beginning  with  an  acquire  (safe)  and  (2)  every  acquire  must  be 
eventually  followed  by  a  release  (live).  The  Windows  drivers  are  instrumented  so  that  an 
ERROR  location  is  reached  if  any  illegal  behavior  is  executed.  We  certified  that  ERROR  is 
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unreachable  for  all  the  drivers  we  experimented  with.  For  OpenSSL  (Version  0.9.6c),  we 
certified  that  the  initial  handshake  between  a  server  and  a  client  obeys  the  protocol  specified 
in  the  SSL  3.0  specification.  For  Micro-C  (Version  2.72),  we  certified  that  the  calls  to 
OS_ENTER_CRITICAL  and  OS_EXIT_CRITICAL  obey  the  two  locking  conventions  mentioned 
above. 

In  almost  all  cases,  SAT-based  proofs  are  over  100  times  more  compact  than  those  generated 
by  CVC  and  VAMPYRE.  In  one  instance — tlan.c  (live) — the  improvement  is  by  a  factor  of 
more  than  105.  We  also  find  that  an  important  reason  for  such  improvement  is  that  the 
UNSAT-cores  are  much  smaller  (by  over  two  to  three  orders  of  magnitude)  than  the  actual 
SAT  formulas.  Upon  closer  inspection,  we  discovered  that  this  is  due  to  the  simplicity  of  the 
verification  conditions.  For  instance,  the  device  drivers  satisfy  the  locking  conventions 
because  of  local  coding  conventions  (every  procedure  with  a  lock  has  a  matching  unlock).  In 
practice,  this  results  in  very  simple  verification  conditions.  Proofs  generated  by  CVC  and 
VAMPYRE  suffer  from  redundancies  and  inefficient  encodings  and  therefore  turn  out  to  be 
large  even  for  such  simple  formulas.  In  contrast,  SAT  formulas  generated  from  these  simple 
verification  conditions  are  characterized  by  small  unsatisfiable  cores. 

We  note  that  the  total  size  of  the  certificate  is  usually  dominated  by  the  size  of  the  witness. 
Finally,  we  find  that  certificates  for  liveness  policies  tend  to  be  larger  than  those  for  the 
corresponding  safety  policies.  This  is  due  to  the  additional  information  required  to  encode 
the  ranking  function,  which  is  considerably  more  complex  for  liveness  specifications. 
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8  Conclusion 


We  have  formalized  a  notion  of  witnesses  for  satisfaction  of  linear  temporal  logic  specifications 
by  infinite  state  programs  and  of  simulation  conformance  between  infinite  state  programs  and 
finite  state  machine  specifications.  We  have  described  how  such  witnesses  may  be  constructed 
via  predicate  abstraction  and  validated  by  generating  and  proving  verification  conditions. 

We  have  proposed  the  use  of  SAT-based  theorem  provers  and  resolution  proofs  in  proving 
these  verification  conditions.  Our  experimental  results  on  nontrivial  benchmarks  suggest  that 
a  SAT-based  approach  can  yield  extremely  compact  proofs.  Our  SAT-based  approach  also 
overcomes  several  limitations  of  conventional  theorem  provers  when  applied  to  the 
verification  of  real-life  programs. 

There  is  an  evident  need  for  techniques  to  obtain  compact  proofs  in  a  wide  variety  of 
disciplines.  Algorithms  to  compress  and  compact  proof  representations  are  currently  a  topic 
of  active  research.  In  this  context,  the  use  of  powerful  SAT  technology  appears  to  be  a  very 
promising  idea  and  warrants  further  investigation.  Extending  the  set  of  properties  that  can 
be  certified  effectively  would  also  enhance  the  scope  of  the  work  presented  in  this  report. 
Finally,  the  usefulness  of  SAT  for  constructing  compact  proofs  for  the  purpose  of  generating 
proof-carrying  binary  code  remains  an  important  yet  open  question. 

We  are  grateful  to  Stephen  Magill,  Aleksandar  Nanevski,  Peter  Lee,  and  Edmund  Clarke  for 
their  insight  on  Proof-Carrying  Code  and  model  checking.  We  also  thank  Rupak  Majumdar 
and  Ranjit  Jhala  for  providing  us  with  the  Windows  driver  benchmarks  and  Anubhav  Gupta 
for  his  advice  on  using  ZCHAFF. 
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